CVE-2022-38533: In GNU Binutils before 2.4.0, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file. It obviously means 2.40.
CVE-2022-38128 (https://sourceware.org/bugzilla/show_bug.cgi?id=29370): An infinite loop may be triggered in display_debug_abbrev() function in binutils/dwarf.c while opening a crafted ELF, which may lead to denial of service by a local attacker.
Fixed for 2.40, backport nontrivial